CLAIMS 

What is claimed is; 



1 1 . A method of selectively enforcing a security policy in a network, the method 

2 comprising the computer-implemented steps of: 

3 creating and storing one or more access controls in a policy enforcement point device 

4 that controls access of clients to the network, wherein each of the access 

5 controls specifies that a named abstract group is allowed access to a particular 

6 resource; 

7 receiving, from an external binding process, a binding of a network address to an 

8 authenticated user of one of the clients for which the policy enforcement 

9 point controls access to the network; 

□ 10 updating the named group to include the bound network address of the authenticated 
Sll user at the policy enforcement point; and 

r«j 12 permitting a packet flow originating from the network address to pass from the 
%! 13 policy enforcement point into the network only if the network address is in 

14 the named group identified in one of the access controls that specifies that the 

J: 15 named group is allowed access to the network. 

H 1 2. A method as recited in Claim 1 , wherein the steps of creating and storing one or 

i^j 2 more access controls in a policy enforcement point that controls access to the 

O 3 network comprise the steps of: 

^ 4 creating and storing one or more definitions of groups in a data store; 

5 creating and storing one or more definitions of resources within a data store; 

6 creating and storing one or more access controls at the policy enforcement point, 

7 wherein each of the access controls specifies that a named group is allowed 

8 access to a particular resource, and wherein one of the access controls 

9 specifies that all other traffic is denied access to the network. 

13. A method as recited in Claim 1, further comprising the steps of distributing the 

2 network address of the authenticated user and information identifying one or more 

3 groups of which the authenticated user is a member to all policy enforcement points 

4 of a protected network that the user seeks to access. 
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A method as recited in Claim 1, further comprising the steps of distributing the 
network address of the authenticated user and information identifying one or more 
groups of which the authenticated user is a member to all policy enforcement points 
that define a security zone that encompasses the user. 

A method as recited in Claim 1, wherein the steps of receiving a binding of a 
network address to an authenticated user of a client for which the policy enforcement 
point controls access to the network comprises the steps of receiving an Internet 
Protocol (IP) address for the user from a network address binding resolution (NABR) 
process. 

A method as recited in Claim 1, further comprising the steps of deterniining that the 
user has discontinued use of the client, and deleting the network address to which the 
user is bound from each named group of each policy enforcement point of the 
network. 



A method of selectively enforcing a security policy in a network, the method 
comprising the computer-implemented steps of: 

creating and storing one or more definitions of abstract groups that are authorized to 
use protected resources of the network, wherein each of the definitions of 
abstract groups includes an abstract group name and a list of one or more 
network addresses of authorized users of the protected resources; 

creating and storing one or more access controls in a policy enforcement point device 
that controls access of clients to the network, wherein each of the access 
controls specifies that a named abstract group is allowed access to a particular 
resource; 

receiving a binding of a network address to an authenticated user of one of the clients 
for which the policy enforcement point controls access to the network; 

deterniining whether the bound network address of the authenticated user is in one of 
the lists of one of the named abstract groups; and 
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15 permitting a packet flow originating from the network address to pass from the 

16 policy enforcement point into the network only if the network address is in 

17 the named abstract group identified in one of the access controls that 

18 specifies that the named group is allowed access to the network. 

18. A method as recited in Claim 7, wherein the steps of creating and storing one or 

2 more access controls in a policy enforcement point that controls access to the 

3 network comprise the steps of: 

4 creating and storing one or more definitions of groups in a data store; 

5 creating and storing one or more definitions of resources within a data store; 

6 creating and storing one or more access controls at the policy enforcement point, 

7 wherein each of the access controls specifies that a named group is allowed 

8 access to a particular resource, and wherein one of the access controls 

9 specifies that all other traffic is denied access to the network. 

19. A method as recited in Claim 7, further comprising the steps of distributing the 

2 network address of the authenticated user and information identifying one or more 

3 groups of which the authenticated user is a member to all policy enforcement points 

4 of a protected network that the user seeks to access. 

1 10. A method as recited in Claim 7, further comprising the steps of distributing the 

2 network address of the authenticated user and information identifying one or more 

3 groups of which the authenticated user is a member to all policy enforcement points 

4 that define a security zone that encompasses the user. 

1 11. A method as recited in Claim 7, wherein the steps of receiving a binding of a 

2 network address to an authenticated user of a client for which the policy enforcement 

3 point controls access to the network comprises the steps of receiving an Internet 

4 Protocol (IP) address for the user from a network address binding resolution (NABR) 

5 process. 
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1 12, A method as recited in Claim 7, further comprising the steps of determining that the 

2 user has discontinued use of the client, and deleting the network address to which the 

3 user is bound from each named group of each policy enforcement point of the 

4 network. 

1 13. A computer-readable medium carrying one or more sequences of instructions for 

2 selectively enforcing a security policy in a network, which instructions, when 

3 executed by one or more processors, cause the one or more processors to carry out 

4 the steps of: 

5 creating and storing one or more access controls in a policy enforcement point device 

6 that controls access of clients to the network, wherein each of the access 

7 controls specifies that a named abstract group is allowed access to a particular 
s |j 8 resource; 

^ 9 receiving a binding of a network address to an authenticated user of one of the clients 

"jlO for which the policy enforcement point controls access to the network; 

ill 1 1 updating the named group to include the bound network address of the authenticated 

12 user at the policy enforcement point; and 

3 13 permitting a packet flow originating from the network address to pass from the 
p 14 policy enforcement point into the network only if the network address is in 

nils the named group identified in one of the access controls that specifies that the 

ry 16 named group is allowed access to the network. 

1 14. A computer-readable medium as recited in Claim 13, wherein the instructions for 

2 carrying out the steps of creating and storing one or more access controls in a policy 

3 enforcement point that controls access to the network comprise instructions for 

4 carrying out the steps of: 

5 creating and storing one or more definitions of groups in a data store; 

6 creating and storing one or more definitions of resources within a data store; 

7 creating and storing one or more access controls at the policy enforcement point, 

8 wherein each of the access controls specifies that a named group is allowed 

9 access to a particular resource, and wherein one of the access controls 
10 specifies that all other traffic is denied access to the network. 
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1 15, A computer-readable medium as recited in Claim 13, further comprising instructions 

2 which, when executed by the one or more processors, cause the one or more 

3 processors to carry out the steps of distributing the network address of the 

4 authenticated user and information identifying one or more groups of which the 

5 authenticated user is a member to all policy enforcement points of a protected 

6 network that the user seeks to access. 

1 16. A computer-readable medium as recited in Claim 13, further comprising instructions 

2 which, when executed by the one or more processors, cause the one or more 

3 processors to carry out the steps of distributing the network address of the 

4 authenticated user and information identifying one or more groups of which the 

5 authenticated user is a member to all policy enforcement points that define a security 
'% 6 zone that encompasses the user. 

1 17. A computer-readable medium as recited in Claim 13, wherein the instructions for 

[U 2 carrying out the steps of receiving a binding of a network address to an authenticated 

5 3 user of a client for which the policy enforcement point controls access to the network 

e_ 4 comprise instructions for carrying out the steps of performing network address 

H; 5 binding resolution for the user. 

Q 1 18. A computer-readable medium as recited in Claim 13, further comprising instructions 

H ! 2 which, when executed by the one or more processors, cause the one or more 

3 processors to carry out the steps of determining that the user has discontinued use of 

4 the client, and deleting the network address to which the user is bound from each 

5 named group of each policy enforcement point of the network. 

1 19. An apparatus for selectively enforcing a security policy in a network, comprising: 

2 means for creating and storing one or more access controls in a policy enforcement 

3 point device that controls access of clients to the network, wherein each of the 

4 access controls specifies that a named abstract group is allowed access to a 

5 particular resource; 
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6 means for receiving a binding of a network address to an authenticated user of one of 

7 the clients for which the policy enforcement point controls access to the 

8 network; 

9 means for updating the named group to include the bound network address of the 

10 authenticated user at the policy enforcement point; and 

1 1 means for permitting a packet flow originating from the network address to pass 

12 from the policy enforcement point into the network only if the network 

13 address is in the named group identified in one of the access controls that 

14 specifies that the named group is allowed access to the network. 

1 20. An apparatus for selectively enforcing a security policy in a network, comprising: 

2 a network interface that is coupled to the data network for receiving one or more 

3 packet flows therefrom; 
£3 4 a processor; 

J{ 5 one or more stored sequences of instructions which, when executed by the processor, 
j= 6 cause the processor to carry out the steps of: 

2i 7 creating and storing one or more access controls in a policy enforcement 

OS 8 point device that controls access of clients to the network, wherein 

* 9 each of the access controls specifies that a named abstract group is 

j^lO allowed access to a particular resource; 

Mil receiving a binding of a network address to an authenticated user of one of 

^12 the clients for which the policy enforcement point controls access to 

pl3 the network; 

y = 14 updating the named group to include the bound network address of the 

15 authenticated user at the policy enforcement point; and 

16 permitting a packet flow originating from the network address to pass from 

17 the policy enforcement point into the network only if the network 

18 address is in the named group identified in one of the access controls 

19 that specifies that the named group is allowed access to the network. 

1 21. A method as recited in Claim 1 , wherein the steps of receiving a binding of a 

2 network address to an authenticated user of a client for which the policy enforcement 

3 point controls access to the network comprises the steps of receiving an Internet 

4 Protocol (IP) address for the user from an ASAP protocol process. 
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1 22. A method as recited in Claim 1, wherein the steps of receiving a binding of a 

2 network address to an authenticated user of a client for which the policy enforcement 

3 point controls access to the network comprises the steps of receiving an Internet 

4 Protocol (IP) address for the user from a DNS process. 

1 23. A method of selectively enforcing a security policy in a network, the method 

2 comprising the computer-implemented steps of: 

3 creating and storing one or more access control list entries in a network router that 

4 acts as a policy enforcement point device and that controls a ccess of clients to 

5 the network, wherein each of the access control list entries specifies that a 

6 named group of users is allowed or refused access to a particular network 

7 resource; 

8 creating and storing one or more definitions of the named groups in a data store that 

9 is accessible by the network router; 

10 receiving, from an external process that can bind a user to a specific network address, 

11 a binding of a network address to an authenticated user of one of the clients 

12 for which the router controls access to the network; 

13 updating the named group to include the bound network address of the authenticated 

14 user at the policy enforcement point; and 

15 permitting a packet flow originating from the bound network address to pass from 

16 the policy enforcement point into the network only if the bound network 

17 address is in the named group identified in one of the access control list 

18 entries that specifies that the named group is allowed access to the network. 

1 24. A method of selectively enforcing a security policy in a network, the method 

2 comprising the computer-implemented steps of: 

3 creating and storing one or more access control list entries in a network router that 

4 acts as a policy enforcement point device and that controls access of clients to 

5 the network, wherein each of the access control list entries specifies that a 

6 named group of users is allowed or refused access to a particular network 

7 resource; 

8 creating and storing one or more definitions of the named groups in a data store that 

9 is accessible by the network router; 
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10 receiving, from an external process that can bind a user to a specific network address, 

11 a binding of a network address to an authenticated user of one of the clients 

12 for which the router controls access to the network; 

13 updating the named group to include the bound network address of the authenticated 

14 user at the policy enforcement point; 

15 permitting a packet flow originating from the bound network address to pass from 

16 the policy enforcement point into the network only if the bound network 

17 address is in the named group identified in one of the access control list 

18 entries that specifies that the named group is allowed access to the network; 

19 and 

20 distributing the network address of the authenticated user and information identifying 

21 one or more groups of which the authenticated user is a member to all policy 

22 enforcement points that define a security zone that encompasses the user; 
^23 detemiining that the user has discontinued use of the client, and deleting the network 
Jj24 address to which the user is bound from each named group of each policy 
2^25 enforcement point of the network. 
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